On Sun, Aug 10, 2008 at 2:41 PM, John Campbell <[EMAIL PROTECTED]> wrote:
>> How do you handle this scenario?
>
> I looked at what amazon.com does and assumed they have it right. The
> only process that is https is the checkout process. Once you enter
> the checkout process, there are essentially zero links on the https
> pages.
>
> I feel that once someone clicks "checkout", there should be zero
> distractions. Amazon does a really good job with this; most of the
> airlines have checkout processes that include unnecessary stuff like
> site navigation.
>
> This doesn't really answer your question, but if the checkout process
> is really simple, the problem of http/https switching tends to go
> away.
The "no distractions" method is pretty much what my current site does.
But now I'm developing a generic framework and my new site will have
other pages aside from the cart that need to be protected. So I'm
trying to normalize things a little. I'd rather not use an application
specific solution.
I'm starting to think that the redirect technique is the way to go
since it can be cleanly implemented (see pseudo code below) in the
bootstrap orthogonally to everything else and can give total
separation regarding host, cookies sessions and so on if security is
critical.
$https_routes = array(
'cart' => true,
'account/logon' => true,
'contacts' => true,
);
$scheme = false;
if (does_request_target_match_route($https_routes)) {
if (!is_https()) {
$scheme = 'https://';
}
} else {
if (is_https()) {
$scheme = 'http://';
}
}
if ($scheme) {
header('Location: ' . rebuild_url_with_new_scheme($scheme));
exit();
}
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
